Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
ChrisTan
Staff
Staff

Created on ‎02-26-2025 09:45 PM

Article Id 378921

Technical Tip: A double 'deny' in the route map and prefix list configuration permits the traffic to pass

Description This article explains how FortiSASE handles route processing in scenarios where SSLVPN subnets overlap with SPA BGP routes.
Scope FortiSASE.
Solution

In FortiSASE, the IPAM configuration can be enabled: Region IP addresses

 

FortiSASE instance supports unique IP address ranges for remote VPN and edge endpoints per FortiSASE security PoP using IPAM within the overall 100.65.0.0/16 range, by default. The below subnets from the following private IP pools are available:

  • 100.65.0.0/16 (default).

  • 10.0.0.0/8.

  • 100.64.0.0/10.

  • 172.16.0.0/12.

  • 192.168.0.0/16.

 

2025-02-26_14h06_37.png

 

The IP pools assigned to VPN and edge devices may overlap with SPA BGP routes, particularly within the 10.0.0.0/8 range.

 

To resolve this conflict, the excluded subnets must be modified to permit routing from the HUB. For example, the 10.128.0.0/16 is excluded:

 

config router bgp
    set as 65001
    set router-id 10.251.1.1
        config neighbor
            edit "10.251.1.251"
         ....
            set route-map-in "hubs"  <----route-map-in direction.
            set route-map-out "hubs-out"
         ...

            config router route-map
                edit "hubs"
                    config rule
                        edit 1
                            set action deny   <---- Action deny.
                            set match-ip-address "internal"  <----- Deny 'internal' subnet.
                            unset set-ip-prefsrc
                        next

                     end

 

config router prefix-list
    edit "internal"
        config rule
            edit 1
                set action deny    <----- Double deny.
                set prefix 10.128.0.0 255.255.0.0
                unset get
                set le 32
            next
                edit 2
                set prefix 10.0.0.0 255.0.0.0
                unset get
                set le 32
            next
                edit 3
            end

 

From the BGP routing table:

 

FGT $ get router info bgp network

VRF 10 BGP table version is 9, local router ID is 10.251.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/32 0.0.0.0 100 32768 0 i <-/1>
*> 10.0.32.0/20 0.0.0.0 100 32768 0 i <-/1>
*>i10.128.0.0/16 10.251.1.251 0 100 0 1000 i <1/1>  <----- 10.128.0.0/16 route received from the HUB.
*> 10.251.1.1/32 0.0.0.0 100 32768 0 i <-/1>

Total number of prefixes 3

 

In the above example, the FortiSASE IPAM exclude subnets configuration creates a double 'deny' action in both the route map and the prefix list. Without this exclusion configuration, the BGP route will not be received.
71
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.